From what I can tell the SNI is not added for cache peers. In
Ssl::PeerConnector::initializeSsl if "peer" is set then the call to
Ssl::setClientSNI is skipped. Also the SSL context doesn't have the hostname
or a callback set, and sslCreateClientContext doesn't appear to be able to
set it either.
I
openssl test to reproduce the error:
openssl s_client -connect www.coursera.org:443 - FAILS (Testing with
cousera since it is also hosted on cloudfront, and uses TLS/SNI)
CONNECTED(0003)
140225331586752:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure:s23_clnt
On 14/02/2017 4:40 a.m., Philip Munaawa wrote:
> I am trying to reverse proxy a site hosted on cloudfront, using the normal
> https_port accel. I have the key/cert pair for the origin. The cloudfront
> uses TLS/SNI to negotiate an SSL connection. However, when I try to connect
> through the proxy,
I am trying to reverse proxy a site hosted on cloudfront, using the normal
https_port accel. I have the key/cert pair for the origin. The cloudfront
uses TLS/SNI to negotiate an SSL connection. However, when I try to connect
through the proxy, I get the error below in the logs:
Error negotiating S
